Revision as of 19:51, 31 May 2013

AIDE is a host-based intrusion detection system (HIDS) for checking the integrity of files.
It does this by creating a baseline database of files on an initial run,
and then checks this database against the system on subsequent runs.
File properties that can be checked against include inode, permissions, modification time, file contents, etc.

AIDE only does file integrity checks.
It does not check for rootkits or parse logfiles for suspicious activity,
like some other HIDS (such as OSSEC) do.
For these features, you can use an additional HIDS
(see here for a possibly biased comparison),
or use standalone rootkit scanners (rkhunter, chkrootkit)
and log monitoring solutions (logwatch, logcheck).

Security

Since the database is stored on the root filesystem,
attackers can easily modify it to cover their tracks if they compromise your system.
You may want to copy the database to offline, read-only media
and perform checks against this copy periodically.